Legal view: What you should know about the UAE’s VPN law

No clarity yet about what exactly constitutes a “crime” when using VPNs



The UAE’s official Telecommunications Regulatory Authority (TRA) clarified this week that the law governing virtual private networks (VPNs) in the country was only targeting illegitimate users.

The clarification came after the UAE modified its cybercrime law, increasing the fines for the illegal use of VPNs.

Read more: UAE’s TRA clarifies that VPN law will not affect ‘legitimate’ users

Media reports regarding the law led to a lot of confusion about whether the use of VPNs was now illegal in the country.

Andrew Fawcett, senior associate, TMT at Al Tamimi & Company explained: “Various media articles have been circulating that give the impression that an amendment to the UAE’s Cyber Crimes Law last week has now made the use of a virtual private network (VPN) illegal.

“We are still working on determining the definitive position on last week’s amendment – but at this stage, our view is the reports overstate its effect,” he said.

The amended clause of the law now states: “Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by temporary imprisonment and a fine of no less than Dhs500,000 and not exceeding Dhs2,000,000, or either of these two penalties.”

Fawcett said: “If that is correct, then the primary change is actually just an increase of the applicable fines (from the previous Dhs15,000 to Dhs500,000 to the new Dhs500,000 to Dhs2,000,000).

“The change does not appear to make using a VPN on its own illegal – it still requires using a fraudulent IP address for the purpose of committing a crime or preventing its discovery (which was already the case under the “old” Article 9, which has been around since 2012).”

Hence the use of VPNs for legitimate purposes should not constitute a crime.

Also, under Article 9, an action may not be initiated against anyone for simply just using a VPN service, but an additional charge can be filed under against a person caught in an illegal act when he or she is found to have used a VPN as well, he clarified.

“However a potential issue is what constitutes a “crime” may be broader in the UAE context,” Fawcett admitted.

For example, using an information technology tool to “encourage, incite or promote sins” is considered a crime under Article 35 of the cybercrimes law. A service provider (not a user) supplying a regulated activity such as VoIP telephony (eg Skype) without a licence is also illegal under the UAE telecommunications law.

“Corporates can use VPNs provided that the terms and conditions of the service provider contract (with Etisalat or du) allows for having VPN tunnels over their connectivity services,” he added.

In its release, the TRA stressed that “there are no regulations which prevent the use of VPN technology by companies, institutions and banks to access their internal networks through the internet.”

It added: “However, business users can be held accountable, like the use of any other technology, if it has been misused.”